Microsoft orders security audit after Hotmail breach

Microsoft pulled Hotmail offline for about two hours August 30 after two European Web sites alerted the company that any Net user could access any Hotmail account without a password as long as a user's name, commonly found in a Hotmail email address, was known.

According to security experts, the potential damage varied from allowing unauthorized parties to see a user's list of messages to allowing them to take complete control of an account.

As first reported by CNET News.com, although Microsoft said it fixed the security problem the same day, it has decided to go a step further by testing the integrity of Hotmail, which has more than 40 million active members.

"We have voluntarily invited a third-party firm to conduct its own inquiry and present us with their findings," Microsoft spokesman Tom Pilla told CNET News.com. Microsoft, in conjunction with Truste, had planned to disclose the news on Monday. Truste is a nonprofit group that acts as a privacy watchdog.

"It's an ongoing process and we're working with Truste on that," Pilla said. "We definitely take privacy very seriously here, and the incident last week was regrettable, but we moved swiftly to resolve any issues."

Microsoft wouldn't provide the name of the auditing firm, which will review Hotmail security but not the security of Microsoft's other Web sites that collect personal information from users.

The move by Microsoft was apparently prompted by complaints made to Truste, which is expected to publish the so-called watchdog reports publicly. Microsoft is a premier sponsor of Truste and carries the program's licensed seal, which informs Web users about precautions a site is taking to protect their privacy.

Late this afternoon Truste went ahead and posted an advisory on its Web site stating that Microsoft had agreed to its recommendation to hire a third-party firm to investigate and confirm that the Hotmail security hole had been fixed.

"We are pleased with what Microsoft is doing, but we needed to assure those who had concerns that the process was underway to address this," David Steer, communications manager for Truste, said today.

With issues like the Hotmail hole popping up more and more, Truste will start focusing on security issues, Bob Lewin, the organization's executive director, added in a statement.

"The bottom line is that there is no trust without privacy and, likewise, there is no privacy without reasonable security of the data being collected," Lewin stated.

Privacy seal programs have been touted by the online industry and the Clinton administration as one way to safeguard Net users' anonymity without government regulation. But consumer advocates want stricter laws put in place for the digital age, as Net users are constantly forfeiting valuable personal information in exchange for goods and customized Web content.

The Truste seal usually applies to the use of personal information collected from surfers, but licensees also have to ensure that they will "help protect the security" of the information they store.

Although free Web-based email services are one the Web's most popular tools, they have suffered from service problems in the past.

This is not Truste's first investigation into Microsoft privacy practices. In March, Truste looked into a feature in Microsoft's Windows 98 operating system that could be exploited to collect information about authors of electronic documents without their knowledge through a unique identification number.

But Truste concluded that Microsoft.com, which carries the seal, was in compliance with all Truste principles. The program did state, however, that "while the complaint itself does not pertain to the Web site, Truste believes that is important to note that the transfer of hardware IDs to the Microsoft secure server without customer consent did, in Truste's opinion, compromise consumer trust and privacy."